f 



29 



REMARKS 

Favorable action is respectfully requested. 

The Director is authorized to charge any fee 
deficiency required by this paper or credit any 
overpayment to Deposit Account No. 23-1123. 

Respectfully submitted, 

WESTMAN, CHAMPLIN & KELLY, P. A. 




Robert M. Angus, Reg. No. 24,3 83 
Suite 1600 - International Centre 
900 Second Avenue South 



Minneapolis, Minnesota 55402-3319 

Phone: (612) 334-3222 Fax: (612) 334-3312 



RMA: tas 




30 



]»iARKED UP VERSION OF REPLACEMENT CLAIMS 



1. (Amended) Method designed to prove to a controller 
entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with 
this entity, 

by means of all or part of the following 
parameters or derivatives of these parameters: 

- m pairs of private values Qi, Q2, ... Qm and 
public values Gi,G2, ... Gm (m being greater than or 
equal to 1) , 

- a public modulus n constituted by the product of 
f prime factors pi, p2, ... Pf (f being greater than or 
equal to 2) , 

the said modulus and the said private and public 
values being related by relations of the following type 
Gi . Qi^ = 1 . mod n or Gi . = Qi^ . mod n 
where v denotes a public exponent of the form: 

V = 2 

where k is a security parameter greater than 1; 

2 

the said m public values Gi being squares gi of m 
distinct base numbers gi, g2, ... gm/ smaller than the f 
prime factors pi, p2/ — Pm|; 

the said pi, P2/ ... Pm prime factors and/or the 
said m base numbers gi, g2/ ... gm being produced such 
that the following conditions are satisfied: 
First condition 

each of the equations: 



2 

Xv- = gi mod n -fi-)- 





can be resolved in x in the ring of integers 
modulo n; 
Second condition 



by taking Qi squared modulo n, k-1 times, one of them 
is not equal to (in other words is not trivial) , 



obtained by taking the inverse of Qi modulo n squared 
modulo n, k-1 times, one of them is not equal to +gi 

(in other words is not trivial) ; 
Third condition 

at least one of the 2m equations 

2 

X = gimod n 43-)- 
2 

X = -gimod n 4^4- 
can be resolved in x in the ring of integers 
modulo n; 

the said method implements, in the following 
steps, an entity called a witness having f prime 
factors pi and/or m numbers of base gi and/or 
parameters of the Chinese remainders of the prime 
factors and/or the public modulus n and/or the m 
private values Qi and/or the f.m components Qi,j (Qi,j 

= Qi tnod pj) of the private values Qi and of the public 
exponent v; 

- the witness computes commitments R in the ring 
of integers modulo n; each commitment being computed: 
. either by performing operations of the type: 



if G 



i = Qi niod n, among the m numbers qi obtained 



if Gi.Qi^ = 1 mod n, among the m numbers qi 



R = r"^ mod n 



where r is a random value such that 0 < r < n. 



32 



. or 

. . by performing operations of the type 
Ri ^ri"" mod Pi 
where ri is a random value associated with the 
prime number Pi such that 0<ri<Pi^ each ri belonging to 
a collection of random values {ri, ^2, . • . rf} 

. . then by applying the Chinese remainders method, 
- the witness receives one or more challenges d; 
each challenge d comprising m integers di hereinafter 
called elementary challenges; the witness, on the basis 
of each challenge d, computes a response D by 
performing operations of the type: 

^ ^ dl ^ d2 ^ dm , 

D = r.Qi .Q2 ... Qm niod n 

. or 

by performing operations of the type: 

Di = ri.Qi,i .Qi,2 Qi,m tnod pi 

. . then by applying the Chinese remainders 

method; 

the said method being such that there are as many 
responses D as there are challenges d as there are 
commitments each group of numbers R, d, D forming a 
triplet referenced {R,d,D}. 

2. (Amended) Method according to claim 1, designed to 
prove the authenticity of an entity known as a 
demonstrator to an entity known as the controller, the 
said demonstrator entity comprising the witness; 
the said demonstrator and controller entities executing 
the following steps: 

. Step 1: act of commitment R 
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at each call, the witness computes each 
commitment R by applying the process specified 
according to claim 1, 

- the demonstrator sends the controller all or 
part of each commitment R, 

. Step 2 : act of challenge d 

- the controller, after having received all or 
part of each commitment R, produces challenges d whose 
number is equal to the number of commitments R and 
sends the challenges d to the demonstrator, 

. Step 3 : act of response D 

- the witness computes the responses D from the 
challenges d by applying the process specified 
according to claim 1, 

. Step 4: act of checking 

- the demonstrator sends each response D to the 
controller, 

case where the demonstrator has transmitted a part 
of each commitment R if the demonstrator has 
transmitted a part of each commitment R, the 
controller, having the m public values Gi, G2 CSm, 
computes a reconstructed commitment R', from each 
challenge d and each response D, this reconstructed 
commitment R* satisfying a relationship of the type: 

R' - Gi^^G2^^ ... Gm^^. mod n 
or a relationship of the type 

R'^ DVGi^^Gs'^^ ... Grn^"^. mod n 
the controller ascertains that each reconstructed 
commitment R' reproduces all or part of each commitment 
R that has been transmitted to it. 
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case where the demonstrator has transmitted the 
totality of each commitment R 

if the demonstrator has transmitted the totality 
of each commitment the controller, having the m 

public values Gi, G2/... Gm, ascertains that each 
commitment R satisfies a relationship of the type 

R' ^ Gl^^Gs^^^ ... Gm'^'^. mod n 
or a relationship of the type 

R'^ DVGi^^.G2^^. ... Gm^"^. mod n^ 
Claims 3 and 4 are not changed. 

5. (Amended) Method according to claim 4, designed to 
prove the authenticity of the message M by checking the 
signed message through an entity called a controller; 
Checking operation 

the said controller entity having the signed 
message executes a checking operation by proceeding as 
follows : 

case where the controller has commitments R, 
challenges d, responses D, 

if the controller has commitments R, challenges d, 
responses D, 

. . the controller ascertains that the commitments 
R, the challenges d and the responses D satisfy 
relationships of the type 

R - Gi^\g2^^ ... Gm"^^. mod n 

or relationships of the type 

T>y ir> dl ^ d2 r% dm _ 
R = D /Gi .G2 . ... Gni . mod n 
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. . the controller ascertains that the message M, 
the challenges d and the commitments R satisfy the 
hashing function 

d = h (message, R) 
. case where the controller has challenges d 
and responses D 

if the controller has challenges d and 
responses D, 

. - the controller reconstructs, on the basis of 

each challenge d and response D, commitments R* 

satisfying relationships of the type: 

_ , ^ dl ^ d2 ^ dm ^^v , 
R' = Gi -G2 . ... Gm . D mod n 

or relationships of the type 

R'^ dVGi'^^.G2^^. ... Gm'^'^. mod n 
. . the controller ascertains that the message M 
and the challenges d satisfy the hashing function 

d=h (message , R ' ) 
. case where the controller has coinmitinents R and 
responses D 

if the controller has commitments R and responses D, 

- the controller applies the hashing function 

and reconstructs d* 

d' = h (message, R) 

. . the controller ascertains that the commitments 

R, the challenges d' and the responses D satisfy 

relationships of the type: 

_ dl ^ d2 dm _v , 

R = Gi .G2 . ... Gni . D mod n 

or relationships of the type 

_.v dl ^ d2 ^ dm 
R = D /Gi .G2 . ... Gm • mod n. 
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6. (Amended) System designed to prove, to a 
controller server, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with 
this entity, 

by means of all or part of the following 
parameters or derivatives of these parameters: 

- m pairs of private values Qi, Q2/ ... Qm and 
public values Gi,G2, ... Gm (m being greater than or 
equal to 1) , 

- a public modulus n constituted by the product of 
f prime factors pi, p2, ... Pf (f being greater than or 
equal to 2) , 

the said modulus and the said private and public 
values being related by relations of the following 
type : 

Gi . Qi^ = 1 . mod n or Gi = Qi^ mod n ; 
where v denotes a public exponent of the form: 

V = 2^ 

where k is a security parameter greater than 1; 

2 

the said m public values Gi being squares gi of m 
distinct base numbers gi, g2, ... gm/ smaller than the f 
prime factors pi, p2, ... Pf; 

the said pi, p2, Pf prime factors and/or the 
said m base numbers gi, g2, ... gm being produced such 
that the following conditions are satisfied: 
First condition 

each of the equations: 

2 

x»^- = gi mod n -fif 
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can be resolved in x in the ring of integers 
modulo n; 
Second condition 

if Gi = Qi^ mod n, among the m numbers qi obtained 
by taking Qi squared modulo n, k-1 times, one of them 
is not equal to +gi (in other words is not trivial )-^^ 

if Gi-Qi^ = 1 mod n, among the m numbers qi 
obtained by taking the inverse of Qi modulo n squared 
modulo n, k-1 times, one of them is not equal to +gi 
(in other words is not trivial) j_ 
Third condition 

at least one of the 2m equations 

2 

X = gimod n 43-)- 
2 

X s -gimod n 43-)- 
can be resolved in x in the ring of integers 
modulo n; 

the said system comprises a witness device, 
contained especially in a nomad object which, for 
example, takes the form of a microprocessor-based bank 
card, 

the witness device comprises 

- a memory zone containing the f prime factors pi 
and/or the m numbers of bases gi and/or parameters of 
the Chinese remainders of the prime factors and/or the 
public modulus n and/or the m private values Qi and/or 
the f.m components Qi,j (Qi,j = Qi p j ) of the 

private values Qi and of the public exponent v; 
the said witness device also comprises: 





random value production means, hereinafter 



called random value production means of the witness 
device, 

- computation means, hereinafter called means for 
the computation of commitments R of the witness device, 
to compute commitments R in the ring of integers modulo 
n; each commitment being computed: 

• either by performing operations of the type: 



where r is a random value produced by the random 
value production means, and r is such that 0 < r < n; 
• or by performing operations of the type: 



where ri is a random value associated with the 
prime number pi such that 0 < ri < pi each ri belonging 
to a collection of random values {ri, r2 , . . . rf } 
produced by random value production means, then by 
applying the Chinese remainders method; 

the said witness device also comprises: 

- reception means hereinafter called the means for 
the reception of the challenges d of the witness 
device, to receive one or more challenges d; each 
challenge d comprising m integers di hereinafter called 
elementary challenges; 

- computation means, hereinafter called means for 
the computation of the responses D of the witness 
device for the computation, on the basis of each 
challenge d, of a response D, 

. either by performing operations of the type: 



Ri = r^mod n 



Ri = ri mod pi 



f 
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D s r.Qi^^Q2^^ ... Qm'^"' mod n 

. or by performing operations of the type: 

D = r.Qi^i .Qi,2 . Qi,m mod pi 
and then by applying the Chinese remainders 

methodT-_^ 

transmission means to transmit one or more 
commitments R and one or more responses D; 
there are as many responses D as there are challenges d 
as there are commitments R, each group of numbers R, d, 
D forming a triplet referenced {R,d,D}. 

7. (Amended) System according to claim 6, designed to 
prove the authenticity of an entity called a 
demonstrator and an entity called a controller, 
the said system being such that it comprises: 

a demonstrator device associated with the 
demonstrator entity, the said demonstrator device being 
interconnected with . the witness device by 
interconnection means and possibly taking the form 
especially of logic microcircuits in a nomad object, 
for example the form of a microprocessor in a 
microprocessor-based bank card, 

a controller device associated with the 
controller entity, the said controller device 
especially taking the form of a terminal or remote 
server, the said controller device comprising 
connection means for its electrical, electromagnetic, 
optical or acoustic connection, especially through a 
data-processing communications network, to the 
demonstrator device; 
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the said system enabling the execution of the 
following steps: 

. Step 1: act of coxnmitinent R 

at each call, the means of computation for the 
commitments R of the witness device compute each 
commitment R by applying the process specified 
according to claim 1, 

the witness device has means of transmission, 
hereinafter called the transmission means of the 
witness device, to transmit all or part of each 
commitment R to the demonstrator device through the 
interconnection means, 

the demonstrator device also has transmission 
means, hereinafter called the transmission means of the 
demonstrator device, to transmit all or part of each 
commitment R to the controller device through the 
connection means; 

. Step 2 : act of challenge d 

the controller device comprises challenge 
production means for the production, after receiving 
all or part of each commitment R, of the challenges d 
equal in number to the number of commitments R, 

the controller device also has transmission means, 
hereinafter denoted transmission means of the 
controller, to transmit challenges d to the 
demonstrator through connection means, 

, Step 3: act of response D 

the means of reception of the challenges d of the 
witness device receive each challenge d coming from the 
demonstrator device through the interconnection means, 
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the means of computation of the responses D of the 
witness device compute the responses D from the 
challenges d by applying the process specified 
according to claim 1, 

. Step 4: act of checking 
the transmission means of the demonstrator transmit 
each response D to the controller, 
the controller device also comprises: 

computation means, hereinafter called the 
computation means of the controller device, 

comparison means, hereinafter called the 
comparison means of the controller device, 
case where the demonstrator has transmitted a part of 
each commitment R 

if the transmission means of the demonstrator have 
transmitted a part of each commitment R, the 
computation means of the controller device, having m 
public values Gi, G2, G^, compute a reconstructed 

commitment R', from each challenge d and each response 
D, this reconstructed commitment R' satisfying a 
relationship of the type: 

R. ^ Gi^^Gs^^^ ... Gxn^^. mod n 
or a relationship of the type 

R»s DVGi^^.G2^^. ... Gm^"". mod n 
the comparison means of the controller device 

compare each reconstructed commitment R' with all or 

part of each commitment R received, 

case where the controller has transmitted the 

totality of each commitment R 



42 ^ 

if the transmission means of the demonstrator have 
transmitted the totality of each commitment R, the 
computation means and the comparison means of the 
controller device, having m public values Gi, G2, 
Gm ascertain that each commitment R satisfies a 
relationship of the type 

R ^ Gl^^G2'^^. ... Gm'^'". mod n 
or a relationship of the type 

R ^ 0^/01^^62"^^ ... Gm^"'. mod 

8. (Amended) System according ieto claim 6, designed j 
to give proof to an entity known as a controller, of 
the integrity of a message M associated with an entity 
known as a demonstrator, 

the said system being such that it comprises 

a demonstrator device associated with the 
demonstrator entity, the said demonstrator device being 
interconnected with the witness device by 
interconnection means and possibly taking the form 
especially of logic microcircuits in a nomad object, 
for example the form of a microprocessor in a 
microprocessor-based bank card, 

a controller device associated with the 
controller entity, the said controller device 
especially taking the form of a terminal or remote 
server, the said controller device comprising 
connection means for its electrical, electromagnetic, 
optical or acoustic connection, especially through a 
data processing communications network, to the 
demonstrator device; 
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the said system enabling the execution of the 
following steps: 

. Step 1: act of commitment R 

at each call, the means of computation of the 
commitments R of the witness device compute each 
commitment R by applying the process specified 
according to claim 1, 

the witness device has transmission means, 
hereinafter called the transmission means of the 
witness device, to transmit all or part of each 
commitment R to the demonstrator device through the 
interconnection means, 

. Step 2: act of challenge d 

the demonstrator device comprises computation 
means, hereinafter called the computation means of the 
demonstrator, applying a hashing function h whose 
arguments are the message M and all or part of each 
commitment R to compute at least one token T, 

the demonstrator device also has transmission 
means, hereinafter known as the transmission means of 
the demonstrator device, to transmit each token T 
through the connection means to the controller device, 
the controller device also has challenge production 
means for the production, after having received the 
token T, of the challenges d in a number equal to the 
number of commitments R, 

the controller device also has transmission means, 
hereinafter called the transmission means of the 
controller, to transmit the challenges d to the 
demonstrator through the connection means; 

. Step 3 : act of response D 



• 
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the means of reception of the challenges d of the 
witness device receive each challenge d coming from the 
demonstrator device through the interconnection means, 

the means of computation of the responses D of the 
witness device compute the responses D from the 
challenges d by applying the process specified 
according to claim 1, 

. Step 4: act of checking 

the transmission means of the demonstrator 
transmit each response D to the controller, 

the controller device also comprises computation 

means, hereinafter called the computation means of the 

controller device, having m public values Gi, G2/.../ 

Gxa, in order to firstly compute a reconstructed 

commitment R', from each challenge d and each response 

D, this reconstructed commitment R' satisfying a 

relationship of the type: 

« . ^ dl ^ d2 ^ dm ^v , 
R' = Gi .02 . ... Gm . D mod n 

or a relationship of the type 

R'^ 0701^^^02 ... Gm'*'". mod n 
then, secondly, compute a token T» by applying the 
hashing function h having as arguments the message M 
and all or part or each reconstructed commitment R', 

the controller device also has comparison means, 
hereinafter known as the comparison means of the 
controller device, to compare the token T' with the 
received token T. 



Claim 9 is not changed. 
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10. (Amended) System according to claim 9, designed to 
prove the authenticity of the message M by checking the 
signed message by means of an entity called the 
controller; 
Checking operation 

the said system being such that it comprises a 
controller device associated with the controller 
entity, the said controller device especially taking 
the form of a terminal or remote server, the said 
controller device comprising connection means for its 
electrical, electromagnetic, optical or acoustic 
connection, especially through a data-processing 
communications network, to the signing device; 

the said signing device associated with the 
signing entity comprises transmission means, 
hereinafter known as the transmission means of the 
signing device, for the transmission, to the controller 
device, of the signed message through the connection 
means, in such a way that the controller device has a 
signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 

the controller device comprises: 

computation means hereinafter called the 
computation means of the controller device, 

comparison means, hereinafter called - the 
comparison means of the controller device— j;^ 

. case where the controller device has commitments 
R, challenges d, responses D 
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if the controller has commitments R, challenges d, 
responses D, 

. the computation and comparison means of the 
controller device ascertain that the commitments R, the 
challenges d and the responses D satisfy relationships 
of the type 

dl ^ d2 - dm -.v , 
R = Gi .G2 . ... Gm • D mod n 

or a relationship of the type 

T-i T^v dl ^ d2 dm , 

R = D /Gi .G2 . ... Gtn . mod n 

. the computation and comparison means of the 
controller device ascertain that the message the 
challenges d and the commitments R satisfy the hashing 
function: 

d = h (message, R) 
. case where the controller device has challenges 
d and responses D 

if the controller device has challenges d and 
responses D, 

the computation means of the controller 
device, on the basis of each challenge d and each 
response D, compute commitments R' satisfying 
relationships of the type: 



T-i dl ^ d2 dm — v , 

R s Gi .G2 .... Gtn . D mod n 

or a relationship of the type 

R s DVGi'^^.G2'^^. ... Gm^"". mod n 
. the computation and comparison means of the 
controller device ascertain that the message M and the 
challenges d satisfy the hashing function: 

d = h (message, R') 



case where the controller device has commitments R 
and responses D 

if the controller device has commitinents R and 
responses D, 

. . the computation means of the controller device 
apply the hashing function and compute d' such that 

d* = h (message, R) 
. the computation and comparison means of the 
controller device ascertain that the commitments R, the 
challenges d' and the responses D satisfy relationships 
of the type : 

^ ^ dl ^ d2 ^ dm ^^v , 
R s Gi .G2 . ... Gm . D mod n 

or a relationship of the type 

R ^ dVGi'^^.G2'^^. ... Gm"^"". mod n^ 

11. (Amended) Terminal device associated with an 
entity, taking the form especially of a nomad object, 
for example the form of a microprocessor in a 
microprocessor-based bank card, designed to prove to a 
controller device: 

- the authenticity of an entity and/or 

- the integrity of a message M associated with 
this entity; 

by means of all or part of the following 
parameters or derivatives of these parameters: 

m pairs of private values Qi, Q2, ... Qm and public 
values Gi,G2, ... (m being greater than or equal to 

1), 

- a public modulus n constituted by the product of 
f prime factors pi, p2, ... Pf (f being greater than or 
equal to 2) , 
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the said modulus and the said private and public 
values being related by relations of the following type 
Gi . Qi^ = 1 mod n or Gi = Qi^ mod n ; 
where v denotes a public exponent of the form: 

V = 2 

where k is a security parameter greater than 1 : 

2 

the said m public values Gi being squares gi of m 
distinct base numbers gi, g2/ ... gm/ smaller than the f 
prime factors pi, P2 / Pf-^_£_ 

the said pi, p2/ ... Pf prime factors and/or the 
said m base numbers gi, g2/ ... gm being produced such 
that the following conditions are satisfied: 
First condition 

each of the equations: 

2 

= gi tnod n {4r4- 

can be resolved in x in the ring of integers 
modulo n 

Second condition 

if Gi = Qi^ mod n, among the m numbers qi obtained 
by taking Qi squared modulo n, k-1 times, one of them 
is not equal to -gi (in other words is not trivial) , 

if Gi.Qi^ = 1 mod n, among the m numbers qi obtained by 
taking the inverse of Qi modulo n squared modulo n, k-1 
times, one of them is not equal to +gi (in other words 
is not trivial) ; 
Third condition 

at least one of the 2m equations 

2 

X = gimod n fS^ 
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2 

X = -gimod n 

can be resolved in x in the ring of integers 

modulo n-r"_^ 

the said terminal device comprises a witness 
device comprising 

- a memory zone containing the f prime factors pi 
and/or the m numbers of bases gi and/or parameters of 
the Chinese remainders of the prime factors and/or the 
public modulus n and/or the m private values Qi and/or 

the f.m components Qi,j {Qi,j ^ Qi ^nod p j ) of the 
private values Qi and of the public exponent v; 
the said witness device also comprises: 

random value production means, hereinafter 
called random value production means of the witness 
device, 

- computation means, hereinafter called means for 
the computation of commitments R of the witness device, 
to compute commitments R in the ring of integers modulo 
n; each commitment being computed: 

• either by performing operations of the 

type : 

R = r^mod n 

where r is a random value produced by the random 
value production means, and r is such that 0 < r < n. 

• or by performing operations of the type: 

Ri = ri^mod pi 
where ri is a random value associated with the 
prime number pi such that 0 < ri < pi each ri belonging 
to a collection of random values {ri, r2,..- rf} 




produced by random value production means, then by 
applying the Chinese remainders method; 

the said witness device also comprises: 

- reception means hereinafter called the means for 

the reception of the challenges d of the witness 
device, to receive one or more challenges d; each 
challenge d comprising m integers di hereinafter called 
elementary challenges; 

- computation means, hereinafter called means for 
the computation of the responses D of the witness 
device for the computation, on the basis of each 
challenge d, of a response D, 

. either by performing operations of the type: 

^ dl d2 dm , 

D = r.Qi .Q2 . ... Qtn iriod n 

. or by performing operations of the type: 

^ dl ^. d2 ^. dm , . 

D = r.Qi^i .Qi,2 • Qi,m mod pi 

and then by applying the Chinese remainders 
method . 

transmission means to transmit one or more 
commitments R and one or more responses D; 
there are as many responses D as there are challenges d 
as there are commitments R, each group of numbers R, d, 
D forming a triplet referenced {r, d, D} . 



Claims 12-14 are not changed. 



15. (Amended) Controller device especially taking the 
form of a terminal or remote server associated with a 
controller entity, designed to prove: 

- the authenticity or an entity and/or 
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- the integrity of a message M associated with 
this entity. 

by means of all or part of the following 
parameters or derivatives of these parameters: 

- m pairs of public values Gi,G2, ... Gm (m being 
greater than or equal to 1) , 

- a public modulus n constituted by the product of 
f prime factors pi, p2, ... Pf (f being greater than or 
equal to 2) , unknown to the controller device and the 
associated controller entity, 

the said modulus and the said private and public 
values being related by relations of the following type 
Gi. Qi^ = 1. mod n or Gi = Qi^ mod no- 
where V denotes a public exponent of the form: 

where k is a security parameter greater than 1; 
where Qi is a private value, unknown to the 
controller device, associated with the public value Gi; 

2 

the said m public values Gi being squares gi of m 
distinct base numbers gi, g2/ — gm/ smaller than the f 
prime factors pi, P2, - Pf; 

the said pi, p2f - Pf prime factors and/or the 
said m base numbers gi, g2/ ... gm being produced such 
that the following conditions are satisfied: 
First condition 

each of the equations: 

2 

= gi mod n -Hrf 
can be resolved in x in the ring of integers 
modulo n 
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Second condition 

if Gi = Qi^ mod n, among the m numbers qi obtained 
by taking Qi squared modulo n, k-1 times, one of them 
is not equal to (in other words is not trivial)— _^ 

if Gi.Qi^ = 1 mod n, among the m numbers qi obtained by 

taking the inverse of Qi modulo n squared modulo n, k-1 

times, one of them is not equal to +gi (in other words 

is not trivial) ; 
Third condition 

at least one of the 2m equations 

2 

X s gimod n 42-)- 
2 

X s -gimod n -B-)- 
can be resolved in x in the ring of integers 
modulo n. 

16. (Amended) Controller device according to claim 15, 
designed to prove the authenticity of an entity called 
a demonstrator to an entity called a controller; 

the said controller device comprising connection 
means for its electrical, electromagnetic, optical or 
acoustic connection, especially through a data- 
processing communications network, to a demonstrator 
device associated with the demonstrator entity; 

the said controller device being used to execute 
the following steps: 

Steps 1 and 2; act of commitment R, act of 
challenge d 

the said controller device also has means for the 
reception of all or part of the commitments R coming 



53 



from the demonstrator device through the connection 
means , 

the controller device has challenge production 
means for the production, after receiving all or part 
of each commitment R, of the challenges d in a number 
equal to the number of commitments R, each challenge d 
comprising m integers di hereinafter called elementary 
challenges—jr^ 

the controller device also has transmission means, 
hereinafter called transmission means of the 
controller, to transmit the challenges d to the 
demonstrator through the connection means; 

. Steps 3 and 4: act of response, act of checking 
the said controller device also comprises: 

- means for the reception of the responses D 
coming from the demonstrator device, through the 
connection means, 

computation means, hereinafter called the 
computation means of the controller device, 

comparison means, hereinafter called the 
comparison means of the controller device, 

case where the demonstrator has transmitted a part 
of each commitment Rt 

if the reception means of the demonstrator have 
received a part of each commitment R, the computation 
means or the controller device, having m public values 
Gl/ G2/ .../ Gm compute a reconstructed commitment R', 
from each challenge d and each response D, this 
reconstructed commitment R' satisfying a relationship 
of the type: 

R. ^ 01^^02*^^ ... Gm'^"'. mod n 
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or a relationship of the type 

DVC3i^-^.G2^^. ... Gm^^. mod n 
the comparison means of the controller device 
compare each reconstructed commitment R' with all or 
part of each commitment R received, 

case where the demonstrator has transmitted the 
totality of each commitment R 

if the reception means of the controller device 
have received the totality of each commitment R, the 
computation means and the comparison means of the 
controller device, having m public values Gi, G2, -.-/ 
Gtn ascertain that each commitment R satisfies a 
relationship of the type: 

R ^ Gi^\g2^^ ... Gm"^"^. mod n 
or a relationship of the type 

T^v dl ^ d2 ^ dm 
R = D /Gi .G2 . ... Gm . mod n^ 



Claim 17 is not changed. 

18. (Amended) Controller device according to claim 15, 
designed to prove the authenticity of the message M by 
checking a signed message by means of an entity called 
a signed message; 

the signed message sent by a signing device 
associated with a signing entity having a hashing 
function h (message, R) , comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the response D; 



Checking operation 

the said controller device comprising connection 
means for its electrical, electromagnetic, optical or 
acoustic connection, especially through a data- 
processing communications network, to a signing device 
associated with the signing entity, the said controller 
device having received the signed message from the 
signing device, through the connection means, 

the controller device comprises: 

computation means, hereinafter called the 
computation means of the controller device, 

comparison means, hereinafter called the 
comparison means of the controller device; 

. case where the controller device has cononitziients 
R, challenges d, responses D 

if the controller has commitments R, challenges d, 
responses D, 

. . the computation and comparison means of 
the controller device ascertain that the commitments R, 
the challenges d and the responses D satisfy 
relationships of the type 

R ^ Gi^\g2^^. ... Gm^^. mod n 

or a relationship of the type 

R = DVGi'^^.G2^^- ... Gm^^. mod n 
. the computation and comparison means of the 
controller device ascertain that the message M and the 
challenges d satisfy the hashing function 

d = h (message, R) 
. case where the controller device has commitments 
R and responses D 
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if the controller device has commitments R and 
responses D-r^ 

. . the computation means of the controller device 
apply the hashing function and compute d' such that 

d* = h (message, R*) 

. • the computation and comparison means of the 
controller device ascertain that the commitments R, the 
challenges d' and the responses D satisfy relationships 
of the type : 

R ^ Gi^^G2^^ ... Gm^"". mod n 
or a relationship of the type 

R = dVGi'^-'-.G2^^. ... Gm^'". mod 



